During a test, we found an open port on a server. After some digging, we realised this port was used by a protocol we never heard of before, namely MQTT. Therefore, we decided to dig a little a little deeper to see what this protocol had to offer.
Approximately thirty minutes later, we were looking at coordinates for airplanes. An hour later, the list had increased to include Prisons with door control, cars, electrical meters, medical equipment, mobile phones, status of home alarm and home automation systems and a whole lot of other devices. Not only could we see the data sent and received by these devices, but even more so, we could actually control the devices. We could send messages and commands, and we could even issue firmware updates to devices, and even open Prison Doors!
MQTT it is used by a lot of M2M IoT devices, especially devices that require low-bandwidth communication. There is very little previous research on this protocol and the devices that use it; all we found was a very basic fuzzer and a few posts about security. The protocol is widely used by devices with low or intermittent internet access.
We have created our own small tool for testing endpoints, and we have discovered that many times, protocol data is written into SQL databases, so we will also look at SQL and server attacks through this protocol. That was then, over a year ago. How does it look today? Is it getting worse? What new 'fun' devices have we found since then, and what was the worlds response to our findings?
Lucas Lundgren started breaking things at the age of twelve, and has reported numerous vulnerabilities since then, working with global security leaders including Sony Ericsson and IOActive. Primarily focused on penetration testing, fuzzing, and exploit development, Lucas has a passion for IoT and Smart Technology.